|
I'd rather not just give the users the group since that would give them easy access to the IFS resources outside the application.
I guess it's pick-your-poison. If swapping, the application profile would need either *ALLOBJ or explicit authority to every profile that would be running the app. That would be a dangerous profile if it was ever compromised. On the other hand, the GID method requires that every app user have authority to that profile. That means any of them could (potentially) utilize that profile outside the specific app.
For now, I'm going to just go with the GID solution and see how well that flies.
Thank you all so much!
For posterity:
The qsysetegid RPGLE sample I found here: http://forums.iprodeveloper.com/forums/aft/45642
The errno RGPLE sample I found here: http://www.scottklement.com/rpg/socktut/errorhandling.html
-----Original Message-----
From: Scott Klement [mailto:rpg400-l@xxxxxxxxxxxxxxxx]
Sent: Wednesday, October 09, 2013 3:09 PM
To: RPG programming on the IBM i (AS/400 and iSeries)
Subject: Re: Authority on Java calls
Can you assign the group profile as a "supplemental group" of the user profile? Or is that giving the user too much access?
If you want to use adopted authority, you'll probably have to do a profile swap. The 'profile handle' APIs will respect adopted authority, allowing you to swap to a profile that you might not have had authority to without adopting.
But, if you do profile swapping, you need to be very careful that your application can not exit without swapping back (else the user can keep the elevated authority) and also that someone cannot simply open your program in STRDBG and change variables so that they can keep the elevated authority... etc, etc.
-SK
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.